CVE-2026-50455: July 2026 Updates Fix Windows UPnP Data Leak

Microsoft’s July 14, 2026 security updates fix CVE-2026-50455, an Important-rated information disclosure vulnerability in Windows Universal Plug and Play library upnp.dll. The flaw requires an attacker to have local access and low-level privileges, but successful exploitation could expose information with a high confidentiality impact.
Detailed in the Microsoft Security Response Center’s Security Update Guide and recorded by the National Vulnerability Database, CVE-2026-50455 affects Windows 10, Windows 11, and multiple Windows Server generations. Administrators should deploy the July cumulative security updates and confirm that endpoints have reached the corrected build for their Windows release.
Microsoft says the vulnerability results from the use of an uninitialized resource. The company had not reported public disclosure or exploitation in the wild when the advisory was published, and its exploitability assessment was Exploitation Less Likely.

Cybersecurity graphic highlights a Windows UPnP information-disclosure flaw and July 14, 2026 Patch Tuesday.A Local Flaw With a High Confidentiality Impact​

CVE-2026-50455 carries a CVSS 3.1 base score of 5.5, categorized as Medium under the scoring system. Microsoft nevertheless classifies the vulnerability as Important, reflecting its own product-focused severity methodology rather than relying solely on the numerical score.
The vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. In practical terms, exploitation requires local access, has low attack complexity, requires low privileges, and does not depend on a victim clicking a link, opening a file, or taking another action.
A successful attack affects confidentiality but is not scored as directly changing data or disrupting system availability. The confidentiality impact is rated High, although Microsoft’s public description does not specify exactly what information could be exposed from the affected process.
That distinction matters for triage. This is not a drive-by UPnP attack that an unauthenticated device can launch across the Internet, despite the network-oriented reputation of Universal Plug and Play. Microsoft describes CVE-2026-50455 as a local vulnerability available to an authorized attacker—security terminology that normally means the attacker already has some ability to execute code or interact with the target system.
The lack of required user interaction still makes it potentially useful after an initial compromise. An attacker who has obtained limited execution could attempt to use an information disclosure flaw to reveal memory contents, addresses, or other process data that assists a later stage of an attack. Microsoft has not documented such an exploit chain for CVE-2026-50455, so that remains a risk scenario rather than evidence of active use.

Uninitialized Data Is the Root of the Leak​

The vulnerability is classified as CWE-908, Use of Uninitialized Resource. This weakness occurs when software uses memory or another resource before its contents or state have been properly established.
Depending on the implementation, uninitialized memory can contain data left behind by earlier operations. Returning or otherwise exposing that content may reveal information that the current user or process was not meant to receive. It can also disclose memory-layout details that weaken defensive technologies when combined with another vulnerability.
Microsoft has identified upnp.dll as the affected component but has not published proof-of-concept code, detailed reproduction steps, or a description of the particular UPnP operation involved. That limited disclosure is normal for a newly patched Windows vulnerability, particularly when more technical detail could shorten the path to weaponization.
The advisory’s report-confidence metric is Confirmed. That designation means Microsoft has confirmed the vulnerability or that sufficiently detailed technical material exists to verify it; it does not mean attacks have been observed.
That difference is easy to miss when vulnerability scanners display the confidence field beside exploitability data. Report confidence measures certainty that the defect exists and confidence in its technical characterization. Public disclosure and active exploitation are separate fields, and both were listed as No for CVE-2026-50455 at publication.

The Patch Reaches Deep Into the Windows Estate​

The affected-product record spans current Windows 11 releases, older Windows 10 branches, and server installations going back to Windows Server 2012. Both desktop and Server Core configurations appear where applicable.
Corrected build thresholds recorded for the vulnerability include:
  • Windows 11 24H2 and Windows 11 25H2 are corrected at build 8875 for their respective 26100 and 26200 branches.
  • Windows 11 version 26H1 is corrected at build 28000.2269.
  • Windows 10 21H2 and 22H2 are corrected at builds 19044.7548 and 19045.7548.
  • Windows 10 version 1607 and Windows Server 2016 are corrected at build 14393.9339.
  • Windows 10 version 1809 and Windows Server 2019 are corrected at build 17763.9020.
  • Windows Server 2022 is corrected at build 20348.5386.
  • Windows Server 2025 is corrected at build 26100.33158.
  • Windows Server 2012 and Windows Server 2012 R2 are corrected at builds 9200.26226 and 9600.23291.
Systems below those builds remain in the affected range identified in the CVE record. The presence of an older product in that record does not by itself guarantee that every organization can obtain the update through ordinary Windows Update channels; extended-support and Extended Security Updates eligibility still govern patch access for retired Windows versions.
The broad product range indicates that the vulnerable code is shared across numerous Windows generations. It also means administrators should not assume that disabling consumer-oriented device discovery on workstations removes the need to patch servers. Microsoft lists Server Core installations of Windows Server 2012, 2012 R2, 2016, 2019, and 2025 among the affected configurations.

Patch Priority Depends on What Already Has a Foothold​

CVE-2026-50455 is not the leading emergency in Microsoft’s unusually large July 2026 Patch Tuesday release. BleepingComputer counted 570 Microsoft vulnerabilities in the monthly rollout, including two flaws already exploited in attacks and one additional publicly disclosed zero-day.
That wider release context matters for deployment order. Internet-facing servers, Active Directory Federation Services, SharePoint Server, and systems exposed to remotely exploitable vulnerabilities may warrant earlier treatment than this local information disclosure issue. CVE-2026-50455 should still be included in the normal July cumulative-update cycle rather than deferred indefinitely because of its 5.5 score.
Organizations with endpoint detection telemetry should pay particular attention to unexpected local processes interacting with UPnP components, especially when preceded by credential theft, suspicious script execution, or exploitation of another local vulnerability. Microsoft has not provided a standalone detection rule or workaround for the flaw, making installation of the relevant cumulative update the dependable remediation.
For managed estates, the practical verification step is build-based. Windows Update for Business, WSUS, Microsoft Configuration Manager, Intune, and third-party patch systems may report a cumulative update as installed while endpoints remain pending a reboot or fail to advance to the expected OS build. Inventory queries should therefore confirm the resulting build number, not merely the update’s deployment status.
CVE-2026-50455 does not currently carry the hallmarks of an immediate network-wide outbreak: it is local, privilege-gated, not publicly disclosed before patching, and assessed as less likely to be exploited. Its confirmed information leak in a Windows component shared across client and server releases nevertheless gives administrators a straightforward task—install the July 14, 2026 cumulative updates and verify that every supported system has crossed the corrected build threshold.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top